[security flaw] Ubuntu is a plain text offender
Kevin O'Gorman
kogorman at gmail.com
Tue May 24 17:01:07 UTC 2011
On Mon, May 23, 2011 at 4:37 PM, Kent Borg <kentborg at borg.org> wrote:
> Amedee Van Gasse wrote:
>
>> Yes, *YOU* don't reuse passwords, and neither do I. But that is entirely
>> beside the point.
>>
>
> Well, yes, and I agreed that e-mailing one's existing password is a bad
> idea. No dispute.
>
> But a *different* point is:
>
> Don't reuse passwords.
>
> So radical that I bet most Ubuntu users have never even heard it. It should
> be mentioned occasionally...
>
>
> -kb, the Kent who mentioned it.
>
>
I have a different take on this.
I have a list of my passwords. There are roughly 800 accounts on the
list. The passwords are
not all unique -- not even close, but fall into several categories. A few
are completely unique,
a few more are restricted to a specific kind of use, and the rest are reused
to varying degrees.
If I had 800 distinct passwords, it would be unlikely I could remember all
of the passwords just
for accounts that hold money or other negotiable assets, especially if they
were random, and I
would have to carry a written list of more bulk than I like, obfuscated or
not. I would have to use
the list regularly and risk both losing it and having it "shoulder surfed".
A great many of the passwords are for things that do not worry me greatly.
A breakin to a
mailing list would for me be just a nuisance, for instance, as any harm
would be just talk, and
could be adequately addressed with more talk and a pw change.
I am not going to reset the PWs on all 800 accounts any time soon, either.
This has been going
on for about 15 years. Many of the accounts likely are dead now for one
reason or another, but
I'm not going to even try them all any time soon either. Think about it.
My point: match the effort and nuisance value of pw maintenance with the
real sensitivity of
the thing being protected. As our lives to increasingly online, there will
be more people with
800 accounts or more of one kind or another. What's needed is a scalable
system of pw management.
A judgement call, of course, and preferences will differ. YMMV.
--
Kevin O'Gorman, PhD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20110524/ced9ab02/attachment.html>
More information about the ubuntu-users
mailing list